This thread was created in response to the following IRC request:14:22 < nueva> geekmstr: will you post to mobileread about kexec?

The news is that multiple people (including nueva and geekmaster) have successfully booted a custom linux kernel on our kindle touch from an SSH shell, by using the kexec program to load a diags kernel image file from the USB drive and to boot the kindle from it.

The information provided here includes a "cleaned up" IRC transcript, serial port status messages captured during a kexec kernel boot, and other files from links provided by neuva and geekmaster.

IRC Transcript:

Spoiler:

Code:

----- Tue Feb 28 2012 -----
15:15 : nueva : looks like KT kernel is compiled with CONFIG_KEXEC=y
15:19 : nueva : wondering, is it enough to load new kernel from FS by invoking
kexec in /sbin/init?
17:58 : nueva : after some googling I've realized that there is a good chance of
working kexec on stock KT kernel. I've downloaded kexec executable from Debian archive
(kexec-toos package for armel arch) and it is showing help just fine on KT
17:58 : nueva : anybody has a compiled kernel of KT?
18:00 : nueva : ah, ok. I can dd'ing stock kernel by myself from /dev/mmcblk0 to
file
18:01 : nueva : geekmstr: I believe you know how to do it. ^^ do you?
18:01 : nueva : can you help with starting offset of kernel and it's length?
18:17 : geekmstr : I ripped the stock kernels (main and diags) out of my mmcblk0.img
backup. Do you want them? I need a SPECIAL uboot compile that does not overwrite them
with the mmc copy when it boots though...
18:22 : geekmstr : Stock kernels start at 0x41000 (main) and 0xe41000 (diags). The 4th
dword is the kernel length, but you need to add 0x80 to that (to compensate for the
flash header). You can see that there are usually many 0xff past the end of the image
block. And do not dd more than bs=1024 out of it or you might lose the last partial
block (depending on default dd options)...
18:25 : nueva : could you upload diag kernel somewhere?
18:27 : geekmstr : I make .tar.gz (diags_kernel.img.tgz).
18:28 : geekmstr : 2.4 MB
18:35 : geekmstr : http://www.mediafire.com/?91e9rcsfy59y1ur
18:44 : nueva : ok. got the file. thanks. I asked for diag kernel, because if kexec
will be successful, I'll reload into a diag mode which will be distinctive sign of
success
18:44 : nueva : do you have also an init string for diag kernel?
18:51 : nueva : found init string in /proc/cmdline, thanks
18:53 : nueva : is diag partition /dev/mmcblk0p3 ?
18:53 : geekmstr : p3 is /var/local
18:53 : nueva : oh shit :D
18:55 : nueva : no, there was /dev/mmcblk0p1 as root defined in init string and
I've changed it to /dev/mmcblk0p3 :)
18:55 : geekmstr : That init string was not diags. Diags may use different params.
18:56 : nueva : it was stuck but after a hard reset it is rebooted (into a main
mode) just fine
19:00 : nueva : ok, no success even with /dev/mmcblk0p2. it stuck on image with
tree on some time then rebooted into a main mode automatically. I guess you are right
and I need real init string for diag mode.
19:13 : geekmstr : consoleblank=0 rootwait ro ip=off root=/dev/mmcblk0p2 quiet
user_debug=31 eink=fslepdc video=mxcepdcfb:E60,bpp=8 console=ttymxc0,115200
19:13 : geekmstr : diags cmdline ^^^
19:14 : nueva : thanks, will try
19:24 : nueva : no success, though kexec executes without any error (I mean,
'kexec' program doesn't complains about anything). I hope that these fails are just
because my lack of knowledge
19:25 : geekmstr : according to yifanlu, the kindle resets the kernel cmdline.
changing does not work...
19:40 : nueva : looks like stock kernel at least reacts to kexec invoking. I see in
log messages "Starting new kernel" and "Bye!".
20:07 : Nyoxi : no luck with the kexec I see
20:13 : Nyoxi : nueva: did you specify where is initrd somehow?
20:13 : nueva : aha. first attempts were failed. no explicit errors though, so
there is still a chance
20:13 : nueva : no, I didn't
20:15 : Nyoxi : nueva: what are the ways of passing initrd to the kernel?
20:15 : Nyoxi : and I assume after the kexec fails for you, you have to restart,
right?
20:16 : nueva : there is an option in kexec tool for pointing to initrd
20:16 : Nyoxi : as a file?
20:18 : nueva : no, I didn't have to restart. it's restarted automatically. and (by
looking into logs) it didn't restart from the kernel loading, it proceeds straight to
displaying progress bar within image with tree
20:19 : nueva : yes, one could point to initrd file
20:20 : Nyoxi : you got just the kernel image from geekmstr or the beginning of
mmcblk0 as a whole?
20:21 : nueva : again, there were no signs of fail from kexec (no error messages on
stdout/stderr, no error messages in logs, nothing).
20:21 : Nyoxi : I can tell you how to get the initrd out of there
20:21 : Nyoxi : hmm, but you have diag kernel, right?
20:21 : Nyoxi : I don't know the offset for diag, only for main kernel :/
20:22 : Nyoxi : I guess somebody will have to read more about kexec
20:22 : nueva : got the kernel image, as far as I could see (there is a string with
kernel version at offset 0x20 in file)
20:23 : nueva : yes, it's a diag kernel (according to geekmstr)
20:24 : Nyoxi : maybe it's on the same offset, can you show what's around the
address 0x18f00 ?
20:26 : Nyoxi : no, the offset is different for diag :/
20:28 : Nyoxi : 00190a0
20:34 : Nyoxi : and the size is 984064 bytes
20:36 : geekmstr : diag_kernel @ 0xe41000
20:36 : geekmstr : main kernel @ 0x41000
20:37 : Nyoxi : this is initrd in the kernel
20:37 : Nyoxi : 0xe41000 + 0x00190a0 is diags initrd
20:38 : geekmstr : Not sure about partition image though, maybe that length includes
initrd...
20:38 : Nyoxi : apparently the length specified in kernel header includes the
initrd
20:39 : geekmstr : how big was that image I sent? enough to contain initrd? otherwise
I need to clip that out of mmcblk0 also...
20:39 : Nyoxi : because for diags the offset 0x190a0 is 102560 in dec, and the
reported length of kernel is 5122560 bytes
20:42 : geekmstr : yes... diags_kernel.img
20:43 : geekmstr : The flash header at the front says how long it is. Also contains
CRC that is only valid if it never changes.
21:18 : nueva : successfully booted to diag mode through kexec'ing of geekmstr's
diag kernel
21:19 : nueva : the key was in explicit defining of kernel image type
'--type=uImage'
21:19 : geekmstr : awesome!
21:20 : geekmstr : how did you set type? in kexec?
21:20 : geekmstr : need simple step-by-step instruction for a noob (me) ;-)
21:20 : nueva : yes, there is an option of kexec
21:21 : geekmstr : how do you launch kexec? ssh?
21:22 : nueva : yes through ssh
21:26 : nueva : trying to repeat the result... crossing fingers :)
21:27 : nueva : no success :( but why? i didn't change the script which has been
run...
21:36 : nueva : ok, that's pretty strange. when KT is charged with USB wall
charger, it kexec's into diag mode fine (within 3-5 seconds after starting kexec).
when it's disconnected from wall outlet, it gets stuck at image with tree for minute
or so and then it's rebooted into main mode
21:37 : nueva : here is script for kexec'ing http://pastebin.com/AHTS5Qez
21:39 : geekmstr : got it.
21:41 : nueva : here is kexec binary extracted from Debian armel package
http://ge.tt/3xjysLE/v/0?c
21:41 : geekmstr : To load a kernel with MfgTool, the default name is "uImage".
21:42 : geekmstr : oh, I was scrolled up looking at cmdline. It matches the script.
21:43 : nueva : yes, it is that, copied cmdline
21:45 : nueva : ok, it's not 3-5, it's 7-10 seconds for kexec'ing to diag. there
will be an image with tree for second or two and after it -- diag mode
21:58 : nueva : kexec'ing works even without explicit defining of kernel image type
(without '--type' option). the key was charging through wall charger.
21:59 : geekmstr : I have seen most weird behavior because of system switching to "low
power mode".
21:59 : nueva : when Kindle is charging, kexec'ing works
22:00 : geekmstr : Most recovery efforts fail because of low battery. Much success
after charging.
22:01 : nueva : no, no. battery is almost fully charged. (95% or about so, looking
at battery icon)
22:02 : geekmstr : ?
22:02 : geekmstr : need to look at source code on that one...
22:02 : geekmstr : perhaps something to do with battery charging or low-power mode...
22:03 : nueva : I'm pretty lucky too, to have found this out by accident :)
----- Tue Feb 28 2012 -----

Please post here if you attempt this. We want to know about successes and failures, and especially any customized linux kernels that you booted. Also, be sure to post disk image and kernel files that boot Android OS from the USB Drive when you have them ready for us...

The title of this thread was changed to prevent confusion with booting from a linux kernel sent over a USB cable (using MfgTool or sb_loader). Those things are discussed in other threads, such as the "Select Boot" thread.

This thread is about booting a kindle from a kernel image stored on the kindle USB drive (using kexec).

Hmm...
Sorry, I can't understand, can it be any useful for unbricking Kindle Touch?

I flashed diags partition and successfully "dd" mmcblk0p1 using SSH but still can't boot in main mode.

Regarding your question about using a custom linux kernel for debricking... I would say "Not at this time".

Booting a custom linux kernel is useful for kernel mode development, such as creating a new device driver, without a bug in the new device driver causing the kindle to get bricked. One of our members (dasmoover) had his kindle touch sit on a shelf gathering dust after his "tun.ko" driver bricked his touch in a way that required our debricking methods to progress to a point where he was able to recover it.

Regarding the problem that you described, it sounds like you repaired your kindle. Perhaps you need to change your bootmode idme var. To do that, boot to diags, and from an SSH shell, type these commands:

I don't think this changes the game regarding openinkpot. In order to use it, you still have to compile it and adapt to the platform. This probably belongs in another thread, but anyway: The kernel itself is open enough already, at least for a lot of purposes. Of course, the kexec is still a good thing to have, but openinkpot won't require a different kernel. Rather, openinkpot would have to be adopted to the kindle environment: e-ink handling, and I think more importantly power management (and some secondary things like wifi and wan). After all, you still need a kernel tailored for the hardware. And the best fit for now are most probably Amazon's kernel sources.

Where a custom kernel is most needed is for running android, which has lots of custom kernel patches. Thankfully, this is only a temporary problem, because many custom android patches were just included in the latest official linux kernel build.

I think you should read the thread that geekmaster referenced above - and maybe ask resulting questions there. As for what this thread is about: I don't think that kexec will help in your case. It's rather for booting a different kernel from a working environment. Please refer to

Quote:

This thread is about custom linux kernel testing. There are other threads for kindle debricking:

can we boot diags from mmcblk0p2.img using KindleSelectBoot,i erase my kindle using fastboot,now it has nothing in it. how am i gonna fix it? help me geekmaster, please.

I stopped counting all the "help me obi-wan...err...geekmaster, you're my only hope!' posts "long long ago..."

As described in the "simple debricking" thread linked from hawhill's post, you can download mmcblk0p2_ssh and flash it to diags with fastboot, then boot diags with MfgTool and export USB drive, download and copy mmcblk0p1 to USB drive, start SSH from diags and copy mmcblkp1 from USB drive to /dev/mmcblk0p1. Then set bootmode to main and reboot. As hawhill said, this simple debricking method is described in detail at the link he provided. Go there for details and download links.

Last edited by geekmaster; 03-23-2012 at 08:02 AM.
Reason: typophrenia

As described in the "simple debricking" thread linked from hawhill's post, you can download mmcblk0p2_ssh and flash it to diags with fastboot, then boot diags with MfgTool and export USB drive, download and copy mmcblk0p1 to USB drive, start SSH from diags and copy mmcblkp1 from USB drive to /dev/mmcblk0p1. Then set bootmode to main and reboot. As hawhill said, this simple debricking method is described in detail at the link he provided. Go there for details and download links.

thanks,i have read that before, my kindle can not boot into fastboot,don't know why.

...
i erase my kindle using fastboot,now it has nothing in it. how am i gonna fix it? help me geekmaster, please.

Quote:

Originally Posted by 352478140

...
my kindle can not boot into fastboot,don't know why.

Just how much of the mmc did you ERASE? Fastboot lives in the bist uboot partition. If you erased that, you erased fastboot mode.

Can you boot to diags? Or, did you erase that too?

If you erased EVERYTHING (why?) you either need to flash the partitions over the serial port, or wait until SOMEBODY creates a custom MfgTool profile that can flash these partitions.

There is a post in this forum by rastik about how he recovered from a total erasure of mmc, by flashing mmc using the serial port and a flash image sent to the kindle using ymodem serial protocol.

There is no need to erase the mmc (ever), and it just makes recovery more difficult. Yifanlu warned against doing any fastboot commands that you do not understand, and now you must learn new stuff to overcome the consequences of your actions.

You must either invest the time to learn how to debrick this using methods described in various posts (or read the freescale documents and create a custom MfgTool profile to flash the partitions), or you must buy a replacement kindle. It is up to you to decide how to invest your time and money resources. If you do not want to spend the time, then spend the money on a replacement kindle (and donate this one to somebody who DOES want to spend the time on it).

Just how much of the mmc did you ERASE? Fastboot lives in the bist uboot partition. If you erased that, you erased fastboot mode.

Can you boot to diags? Or, did you erase that too?

If you erased EVERYTHING (why?) you either need to flash the partitions over the serial port, or wait until SOMEBODY creates a custom MfgTool profile that can flash these partitions.

There is a post in this forum by rastik about how he recovered from a total erasure of mmc, by flashing mmc using the serial port and a flash image sent to the kindle using ymodem serial protocol.

There is no need to erase the mmc (ever), and it just makes recovery more difficult. Yifanlu warned against doing any fastboot commands that you do not understand, and now you must learn new stuff to overcome the consequences of your actions.

You must either invest the time to learn how to debrick this using methods described in various posts (or read the freescale documents and create a custom MfgTool profile to flash the partitions), or you must buy a replacement kindle. It is up to you to decide how to invest your time and money resources. If you do not want to spend the time, then spend the money on a replacement kindle (and donate this one to somebody who DOES want to spend the time on it).